[OSGeoLive] reg GDAL with ASLR build binaries

Brian M Hamlin maplabs at light42.com
Wed Aug 5 12:56:56 PDT 2020


FYI on OSGeoLive 2020 'Focal'  pre-alpha, output shows:

$ readelf -l /usr/bin/gdalinfo

Elf file type is DYN (Shared object file)
Entry point 0x1870
There are 13 program headers, starting at offset 64

Program Headers:
   Type           Offset             VirtAddr PhysAddr
                  FileSiz            MemSiz Flags  Align
   PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040
                  0x00000000000002d8 0x00000000000002d8 R      0x8
   INTERP         0x0000000000000318 0x0000000000000318 0x0000000000000318
                  0x000000000000001c 0x000000000000001c R      0x1
       [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
   LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                  0x0000000000000eb8 0x0000000000000eb8 R      0x1000
   LOAD           0x0000000000001000 0x0000000000001000 0x0000000000001000
                  0x00000000000009e5 0x00000000000009e5 R E    0x1000
   LOAD           0x0000000000002000 0x0000000000002000 0x0000000000002000
                  0x00000000000004c8 0x00000000000004c8 R      0x1000
   LOAD           0x0000000000002ca8 0x0000000000003ca8 0x0000000000003ca8
                  0x0000000000000368 0x0000000000000370 RW     0x1000
   DYNAMIC        0x0000000000002cb8 0x0000000000003cb8 0x0000000000003cb8
                  0x0000000000000200 0x0000000000000200 RW     0x8
   NOTE           0x0000000000000338 0x0000000000000338 0x0000000000000338
                  0x0000000000000020 0x0000000000000020 R      0x8
   NOTE           0x0000000000000358 0x0000000000000358 0x0000000000000358
                  0x0000000000000044 0x0000000000000044 R      0x4
   GNU_PROPERTY   0x0000000000000338 0x0000000000000338 0x0000000000000338
                  0x0000000000000020 0x0000000000000020 R      0x8
   GNU_EH_FRAME   0x0000000000002348 0x0000000000002348 0x0000000000002348
                  0x0000000000000044 0x0000000000000044 R      0x4
   GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                  0x0000000000000000 0x0000000000000000 RW     0x10
   GNU_RELRO      0x0000000000002ca8 0x0000000000003ca8 0x0000000000003ca8
                  0x0000000000000358 0x0000000000000358 R      0x1

  Section to Segment mapping:
   Segment Sections...
    00
    01     .interp
    02     .interp .note.gnu.property .note.gnu.build-id .note.ABI-tag 
.gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt
    03     .init .plt .plt.got .plt.sec .text .fini
    04     .rodata .eh_frame_hdr .eh_frame
    05     .init_array .fini_array .dynamic .got .data .bss
    06     .dynamic
    07     .note.gnu.property
    08     .note.gnu.build-id .note.ABI-tag
    09     .note.gnu.property
    10     .eh_frame_hdr
    11
    12     .init_array .fini_array .dynamic .got

On 8/5/20 12:51 PM, Jim Klassen wrote:
> Are you sure you need to supply those flags at all?  Are you using a 
> recent enough Linux Distribution?  I haven't build GDAL 2.3 in a long 
> time (it is very old), I suppose it is possible it is doing something 
> strange disabling PIE in the build system.
>
> My build of GDAL 3.1 on Debian 10 built PIE executable by default 
> (without me specifying any special compiler options).
>
> For my GDAL 3.1 build:
> $ readelf -l gdalinfo
>
> Elf file type is DYN (Shared object file)
> ...
>
>
>
> It looks like gcc/g++ in Debian 10 default to building PIE.  I'd 
> expect similar vintage Ubuntu derivatives would do the same:
>
> $ cat a.c
> int main() { return 0; }
> $ gcc a.c
> $ file a.out
> a.out: ELF 64-bit LSB *pie executable*, x86-64, version 1 (SYSV), 
> dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for 
> GNU/Linux 3.2.0, 
> BuildID[sha1]=fde557ade69c32cd2554ee888bc892175ae86867, not stripped
> $ readelf -l a.out
>
> Elf file type is DYN (Shared object file)
> ...
>
>
>
> On 8/5/20 9:55 AM, Brian M Hamlin wrote:
>>
>> Hi Kavitha -
>>
>>   In general, specialized security work is outside of the scope of 
>> the /educational mission/ at OSGeoLive project.
>>
>> ASLR is a security layer ?  from Google search..
>>
>> "Address Space Layout Randomization (*ASLR*) is a computer security 
>> technique which involves randomly positioning the base address of an 
>> executable and the position of libraries, heap, and stack, in a 
>> process's address space"
>>
>> Security is a concern at OSGeoLive, but not the primary concern. If 
>> you seek direct consulting hours, please consider a time+money budget 
>> to bring in additional skillsets.
>>
>> If you find a solution, please do not hesitate to share the results 
>> with the GDAL project and Ubuntu upstream, for better specialized 
>> security in the future.
>>
>>   others may have different resources for you on this topic
>>   best regards  --Brian
>>
>>
>> On 8/5/20 7:32 AM, Kavitha K wrote:
>>> Hi All,
>>>  We are trying to compile the gdal 2.3.2 source with ASLR . But we 
>>> are seeing the
>>>  Elf file type as EXEC (Executable file) instead DYN.
>>>
>>>  Please help us whether gdal build is supported the compilation with 
>>> "-Fpie -pie -fPIC".
>>>
>>>  Steps which we followed:
>>>
>>>  cp gdalDevKits/gdal-2.3.2.tar.gz .
>>>
>>>  tar -xvf gdal-2.3.2.tar.gz
>>>
>>>  cd gdal-2.3.2
>>>
>>>  env CFLAGS="-Fpie -pie -fPIC" ./configure
>>>
>>>  make install
>>>
>>>  cd /usr/local/bin
>>>
>>>  readelf -l gdaltransform
>>>
>>>  Elf file type is EXEC (Executable file)
>>>
>>>  Entry point 0x40
>>> Thanks,
>>> Kavitha
>>>
>>> _______________________________________________
>>> osgeolive mailing list
>>> osgeolive at lists.osgeo.org
>>> https://lists.osgeo.org/mailman/listinfo/osgeolive
>>
>> _______________________________________________
>> osgeolive mailing list
>> osgeolive at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/osgeolive
>
>
> _______________________________________________
> osgeolive mailing list
> osgeolive at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/osgeolive
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/osgeolive/attachments/20200805/11664e7b/attachment-0001.html>


More information about the osgeolive mailing list